Open Source Vulnerability Schema

This is the repository for the Open Source Vulnerability schema (OSV Schema), which is currently exported by:

• AlmaLinux
• Bitnami Vulnerability Database
• Chainguard
• Curl
• GitHub Security Advisories
• Global Security Database
• Go Vulnerability Database
• Haskell Security Advisories
• LoopBack Advisory Database
• Malicious Packages Repository
• Mageia Advisories
• OSS-Fuzz
• OSV.dev maintained converters (Debian, Alpine, NVD)
• PyPI Advisory Database
• Python Software Foundation Database
• RConsortium Advisory Database
• Red Hat
• Rocky Linux
• Rust Advisory Database
• SUSE
• Ubuntu
• VMWare Photon OS (unofficial)

Together, these include vulnerabilities from:

• AlmaLinux
• Alpine
• Android
• Bitnami
• Chainguard
• crates.io
• Debian GNU/Linux
• GitHub Actions
• Go
• Haskell
• Hex
• Linux kernel
• Mageia
• Maven
• npm
• NuGet
• openSUSE
• OSS-Fuzz
• Packagist
• Photon OS
• Pub
• PyPI
• Python
• R (CRAN and Bioconductor)
• Red Hat
• SUSE
• Rocky Linux
• RubyGems
• Ubuntu

These vulnerabilities are aggregated by https://osv.dev.

Join the discussion in the OpenSSF Slack channel #osv_schema

Reference tooling (e.g. converters) can be found in the tools/ directory

The current version of the specification is rendered here.

The OSV-Schema specification and the tools here are maintained by the Open Source Security Foundation (OpenSSF) Vulnerability Disclosures Working Group (WG).